Faced with this backlash, state and federal regulatory agencies are beginning to respond. California has already passed strong privacy legislation that requires financial institutions to obtain permission from customers before sharing personal information with nonaffiliated companies. Another California law requires other businesses to report to customers if they share personal information with nonaffiliated companies. Twenty-one states have passed laws that require companies to contact customers if a security breach occurs. On a national level, more than a dozen data security bills have been introduced in Congress this year. They vary in severity, the strictest requiring all companies to notify consumers whenever there is a data breach and give those consumers the ability to see and correct information collected about them. Experts say some kind of legislation on data security and privacy will almost certainly be passed this year.

“There will be legislation to tighten up privacy,” says Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center. “And if not legislation, there will be more regulation.”

Government intervention aside, many experts argue that carefully thought-out privacy controls make good business sense. Larry Ponemon, the founder and chairman of the Ponemon Institute, has some evidence to back up that assertion. He measured “privacy trust scores” for over 1,000 companies by asking customers to rank on a scale of one to five how much they trust the companies with which they do business. For each company, Ponemon asked consumers more than 20 questions, including how much they believe the company is committed to protecting their personal information, how accurate and trustworthy they believe the information in the company’s privacy policy is, and if they believe the company would do the right thing in a case of a data breach. From the rankings, Ponemon calculated weighted privacy trust scores for each company. The higher the score, the more consumers trusted a company. Ponemon then measured the rate at which consumers responded to marketing campaigns, be it direct mail or Web advertising. The higher the privacy score, the higher the response rate to marketing campaigns—and the higher the company’s revenue. Taking measurements over time, Ponemon determined that just a small 1 percent increase in a privacy trust score would translate into an increase of tens of millions of dollars in revenue.

“The perception of how well a company manages privacy has quite an astounding impact on sales,” Ponemon says.

CIOs can play a major role in boosting their companies’ “privacy scores.” Because customer data resides in databases, it is the CIO who is in the position to suggest certain privacy policies and spearhead programs to put them into action. CIOs who work for companies with strong track records in this area say there are a number of ways IT can be used to enhance a company’s privacy reputation. These corporate pioneers make sure privacy is part of every executive discussion about new products, services or internal use of customer information. And they ask their customers how they want their personal information handled. Furthermore, while most large companies offer an opt-out feature for customers who do not want their personal information used for marketing purposes or research (although even that feature is often hidden in the fine print of privacy policies), the pioneers routinely adopt opt-in, rather than opt-out, policies. And they have found that these practices help their companies improve customer relationships, ultimately contributing to a better bottom line.